Cisco PIX 500 Series Configuration Manual page 215
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 13
Configuring AAA Servers and the Local Database
If you do not configure SASL, we strongly recommend that you secure LDAP communications with
Note
SSL. See the ldap-over-ssl command in the Cisco Security Appliance Command Reference.
When user LDAP authentication has succeeded, the LDAP server returns the attributes for the
authenticated user. For VPN authentication, these attributes generally include authorization data which
is applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a
single step.
Securing LDAP Authentication with SASL
The security appliance supports the following SASL mechanisms, listed in order of increasing strength:
•
•
You can configure the security appliance and LDAP server to support any combination of these SASL
mechanisms. If you configure multiple mechanisms, the security appliance retrieves the list of SASL
mechanisms configured on the server and sets the authentication mechanism to the strongest mechanism
configured on both the security appliance and the server. For example, if both the LDAP server and the
security appliance support both mechanisms, the security appliance selects Kerberos, the stronger of the
mechanisms.
The following example configures the security appliance for authentication to an LDAP directory server
named ldap_dir_1 using the digest-MD5 SASL mechanism, and communicating over an SSL-secured
connection:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# sasl-mechanism digest-md5
hostname(config-aaa-server-host)# ldap-over-ssl enable
hostname(config-aaa-server-host)#
Setting the LDAP Server Type
The security appliance supports LDAP version 3 and is compatible with the Sun Microsystems JAVA
System Directory Server (formerly named the Sun ONE Directory Server), the Microsoft Active
Directory, and other LDAPv3 directory servers.
By default, the security appliance auto-detects whether it is connected to a Microsoft Active Directory,
a Sun LDAP directory server, or a generic LDAPv3 directory server. However, if auto-detection fails to
determine the LDAP server type, and you know the server is either a Microsoft, Sun or generic LDAP
server, you can manually configure the server type using the keywords sun, microsoft, or generic. The
following example sets the LDAP directory server ldap_dir_1 to the Sun Microsystems type:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# server-type sun
hostname(config-aaa-server-host)#
OL-12172-03
Digest-MD5 — The security appliance responds to the LDAP server with an MD5 value computed
from the username and password.
Kerberos — The security appliance responds to the LDAP server by sending the username and realm
using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos
mechanism.
Cisco Security Appliance Command Line Configuration Guide
Configuring an LDAP Server
13-13
Advertisement
Table of Contents
Troubleshooting
